Since I was a wee programmer trainee, I've wondered why such a fuss is made about TSO execution when almost anyone who can logon to TSO can concoct a random set of JCL cards and SUBMIT them. Including STEPLIB to any library the user has SAF access to. Why do we worry so much more about 'foreground' than 'background' processes? Could it be a fuddy-duddy holdover from the days when our forefathers were dragged kicking and screaming from the environment of punch cards into wild world of glass and pixels?
Or maybe there's a good reason I'm missing. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Tom Conley Sent: Friday, September 22, 2017 1:44 PM To: [email protected] Subject: (External):Re: Dynamic Steplib and z/OS 2.3? On 9/22/2017 4:19 PM, Rob Schramm wrote: > Possible is in the eye of the coder. Most everything "can" be done. > Whether it is a good idea or not is another discussion ( i.e. Walt's > comment ). > > I can break MVS integrity, security etc etc. Just look at > www.krisecurity.com for examples found on how to break integrity. > There are loads of ways to do it. > > I can't help but agree with Walt that without very careful > consideration, dynamic STEPLIBs might be a terrible thing. > > Rob > > On Fri, Sep 22, 2017 at 4:11 PM Blaicher, Christopher Y. < > [email protected]> wrote: > >> I think you are a little off. A static concatenation cannot result >> in a mix of authorized and unauthorized libraries and the program >> running authorized. >> >> Contents supervisor, when it goes to load the first module from EXEC >> PGM= checks the JOBLIB or STEPLIB for all libraries to be authorized, >> else the program while still being loaded will not run authorized. >> If the program is being loaded from the LINKLST, it checks that the >> library it is being loaded from is authorized, otherwise it once again runs >> as unauthorized. >> >> If at some later point a load of a module from a library in the >> LINKLST that is not authorized, or a directed LOAD/LINK/ATTACH/XCTL >> with a non-authorized library specified, will result in an ABEND. >> >> I hope the writers of the STEPLIB concatenation routine were through >> enough to check the current authorization status of the job step and, >> if it is running authorized, validated that the library being added >> is also authorized. Otherwise the concatenation should fail. >> >> If your shop has this function, I would verify that you cannot add an >> unauthorized library to a STEPLIB or JOBLIB. If you can, you have >> just left a hole the size of the Lincoln Tunnel in your system. >> >> Chris Blaicher >> Technical Architect >> Mainframe Development >> P: 201-930-8234 <(201)%20930-8234> | M: 512-627-3803 >> <(512)%20627-3803> >> E: [email protected] >> >> Syncsort Incorporated >> 2 Blue Hill Plaza #1563 >> Pearl River, NY 10965 >> www.syncsort.com Dynamic STEPLIB is designed to run under TSO. It provides the ability to satisfy CALL/LINK/ATTACH modules in ISPF for testing, multiple releases, etc. Some ill-behaved ISPF apps don't use SELECT PGM, so they have to be available in the standard search order. Nice apps like QMF provide a DD like DSQLLIB and then load from there. For those that don't, we need Dynamic STEPLIB. APF authorization should not be an issue, because if you trying to run TSO authorized, you've already lost. Regards, Tom Conley ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
